Refer to #1895328: Security exploit in plupload external library examples folder, we should remove examples folder in plupload library in order to avoid security risk as stated in PSA-2011-02.

In order to include plupload module into Drupal distribution, e.g. DruStack, we need a patch file for drush make so can remove examples folder by patching the library.

Comments

Patch file for plupload_1_5_5.zip.

Status:Active» Fixed

Thanks. Will link this issue from project's page.

Status:Fixed» Needs work

Pardon my presumption in setting this back to "needs work"—hopefully I'm the one in error—but I'm attempting to use this patch in a make file, and Drush reports that it's applying it, but the examples directory is still there afterward:

$ dr make my.make --no-core --no-patch-txt --libraries=plupload -y
Make new site in the current directory? (y/n): y
Drush make restricted to the following entries:                             [ok]
Libraries: plupload
plupload downloaded from http://plupload.com/downloads/plupload_1_5_5.zip.  [ok]
plupload patched with plupload-1_5_5-remove_examples-1903850-1.patch.       [ok]
$ ls sites/all/libraries/plupload/examples/
bg.jpg  custom.html  dump.php  jquery  upload.php  uploads

Even applying the patch manually (which works, so long as you use patch -p1 ...) leaves behind examples/bg.jpg and examples/uploads.

I'm I missing the obvious, or does the patch not actually work? Or is it a problem with Drush make? Or both?

Status:Needs work» Active
StatusFileSize
new2.2 KB

Refer to http://git.wikia.com/wiki/Patches, patch now created with:

git format-patch HEAD^ -M -C -s -D --keep-subject --stdout > ../plupload-1_5_6-remove_examples-1903850-4.patch

Therefore able to show the rename/delete action and so works for both GIT checkout and -dev.tar.gz package.

StatusFileSize
new38.9 KB

So poor that with -D it will not able to apply by patch not git apply:

-D, --irreversible-delete
Omit the preimage for deletes, i.e. print only the header but not the diff between the
preimage and /dev/null. The resulting patch is not meant to be applied with patch nor git
apply; this is solely for people who want to just concentrate on reviewing the text after
the change. In addition, the output obviously lack enough information to apply such a
patch in reverse, even manually, hence the name of the option.

When used together with -B, omit also the preimage in the deletion part of a delete/create
pair.

Well... so recreate patch with:

git format-patch HEAD^ -M -C -s --keep-subject --stdout > ../plupload-1_5_6-rm_examples-1903850-5.patch

Therefore sorry that please manually remove the example folder after patch applied ;-)

Sorry for silly question, but how should line with that patch looks like in my.make file?

This doesn`t work
libraries[plupload][patch][] = http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch

How else ?

Hopefully my DruStack version can be your reference:

Some code snippet:

libraries[plupload][directory_name] = "plupload"
libraries[plupload][download][type] = "file"
libraries[plupload][download][url] = "http://plupload.com/downloads/plupload_1_5_6.zip"
libraries[plupload][patch][] = "http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch"
libraries[plupload][type] = "library"

Status:Active» Needs review
StatusFileSize
new77.93 KB

None of the above patches wok with an archive version of plupload from https://github.com/moxiecode/plupload/archive/1.5.6.zip. This works:

projects[plupload_lib][type] = library
projects[plupload_lib][download][type] = get
projects[plupload_lib][download][url] = http://plupload.com/downloads/plupload_1_5_6.zip
projects[plupload_lib][directory_name] = plupload
projects[plupload_lib][patch][] = http://drupal.org/files/plupload-1_5_6-rm_examples-1903850-5.patch

StatusFileSize
new37.11 KB

Patch for 1.5.7

StatusFileSize
new38.78 KB

This should also works for 1.5.7

StatusFileSize
new39.12 KB

#9 and #10 did not worked for me.

Here is new patch for 1.5.7

Perhaps plupload should have a make file itself for the library that includes the patch

Patch available at: https://drupal.org/node/2088143

Would like to make a patch but unsure how one does this for a library.

Would I unzip the library and then create a new repository, commit changes, then make changes and use git diff?

Confusing to create a patch for a non-repository... thanks in advance!

Patch revoke for v1.5.8 GIT from github

Not going to look into it now, but I wonder if there is a drush issue for removing a directory/files from a download. Not like plupload is the only library in this situation.

edit: drush error => drush issue

Title:[meta] Patch for remove plupload library examples folder for Drupal distribution[meta] Patch to remove plupload library examples folder for Drupal distribution

Fixed grammar in title.

Patch confirmed working for us with minimal effort.

libraries[plupload][download][type] = "get"
libraries[plupload][download][url] = "https://github.com/moxiecode/plupload/archive/v1.5.8.zip"
libraries[plupload][patch][1903850] = "http://drupal.org/files/issues/plupload-1_5_8-rm_examples-1903850-16.patch"